Don’t add your domain to Droplr!

A custom domain, coupled with Droplr, is a sure fire way to ruin your domains reputation with Google. Droplr see this as a feature request rather than fundamental flaw, so here’s my warning.

I woke up one morning, with an email from Google Search Console. It was a warning that social engineering had been detected on my domain and that “affected pages have been demoted in Google’s search results” and that “browsers such as Google Chrome now display a warning when users visit your site.”

I quickly identified that the suspect link was on a recently created subdomain that I had made for use with Droplr (a file/screenshot storage and sharing service). I have a team plan, so I started a support chat with Droplr to see if the drop was created by someone in my team (it wasn’t).

I got told that the link in question had been deactivated, but they swerved my question about who it belonged to. At this point, I smelt something fishy. After some back and forth, it turns out that the link in question belonged to someone else completely.

How? Because links are not unique to your domain on Droplr.

For example: I took a link of mine (https://d.pr/Gnkwcr) and then found another link from droplr, but using a custom domain. But I took off the urls ID from the slug and replaced it with the one from my link.

This created https://files.nunn.ink/Gnkwcr

I would expect that this would 404. “Gnkwr” doesn't belong to files.nunn.ink. However, these are shared. This means someone could create a Droplr account and link to tons of malicious sites and content, and Google will crawl it as a link belonging to your custom domain, then blacklist your domain as a result.

This issue was first reported to Droplr on Friday 19th July, and has not yet been resolved. Droplr don’t seem bothered by it.

If you use a custom domain with Droplr, your domain reputation is at risk. Remove your domain now.